Preventing people from using own USB sticks?
 

Hi

I have a question.
How do I prevent people from using their own USB sticks in a computer lab?
USB nowadays are getting large in terms of storage and many portable softwares are out there. I think you can even run operative systems on memory sticks.

I've heard about PCs using USBs with specific softwares installed in order to login and use the PC. Are these USB specific to the PC or is it just the software that is installed on the USB that makes the USB unique?

If so, where can I buy these USBs...?

I'd figure they would just buy a huge flash card (8 gigs +) and install Linux on it. The only one I'm familiar with that you could install on a flash card would be Slax Linux.

The company I used to work for had something set up whereby you could only use the company's USB sticks on company computers but I'm afraid I have no idea how they did it.

I don't understand much of it but this article might be of some help to you.

I'll take a look at it.
Thank you :)

Here is an alternate link
Disable USB Disks with GPO

If you're on Windows Vista, your job is considerably easier, it seems.

I do want the users to be able to use USB, but not their own :)

You would need some authentification between the stick and the operating system.

Since the stick is a totally passive device I doubt it will be that easy. Let's see: the only way you can do auth is putting some files on the stick and maybe fiddle around with the device identification values (vendor, product id, etc.).
All of this is clonable. You can copy files and filesystem on the stick and you can probably also clone the indent vals (e.g. by getting an identical stick).

So nothing of this is particularly safe. You could get some custom-made USB sticks which contain auth hw, and only let you access the data storage after auth is completed. That's of course not going to work with regular sticks you use to buy ;)

That's probably what Shin's company did. However I see more problems coming when implementing this. First of all you can't have identical auth data on all devices, since you want to precisely enable/disable devices when a stick gets e.g. lost. Disabling all devices isn't an option... at least if we're talking about a bigger amount of sticks. Then you need to distribute auth data to the clients (the machines that should accept the stick) safely, plus avoiding that anyone toys around with the auth data on their machine.

That's a whole bunch of non-trivial problems...

Against a concerted employee who's willing to do the research, its near impossible to completely limit access to USB devices, as they've got the hardware, which is a huge disadvantage. At best, you can make it difficult for them to do so, and make the costs outweigh the rewards only for those who have an extreme need.

With custom hardware you could probably assign hardware bits with a hash pattern. It would be repeatable and you would be able to disable selected values out of the hash through administrator pushed updates. However, a determined person with access to several USB devices could probably figure out the pattern. They could also use easier methods like just getting around the administrative privileges on the system itself and disabling the lockout.

You could also have handshake software installed on both, as has been mentioned, which would serve a similar function, but with a few read only files. Again, similar problem that they have access to the hardware, and there are known attacks for most major OS' to enable admin access.

Also, why only company USB devices? Is this to avoid something like USB data theft?

Cannot let prisoners bring their own USB sticks :)
Hmm...seems like this USB situation is more difficult than I thought.
Maybe its best to disable all use of USB ports.

Prisoners?

Okay, so what specifically is your situation? Do you have a kiosk or something which prisoners can access? Why do they need to access said computer, and what kind of information do you have on that computer that they shouldn't be able to download? Or, do you just want to prevent them from running programs on USB disks?

They might get laptops in their cells. Must first prevent them from running programs on USB sticks.

I just read this article a few hours ago at work, and I though it's a pretty simple solution to your query.

Quote:

If strangers have physical access to your PC, it's easy for them to plug in a USB flash drive and make copies of your data. If you're using Windows XP SP2 or later, though, there's a simple way to prevent this from happening. Go to 'HKLM\SYSTEM\CurrentControlSet\Control\StorageDevi cePolicies', create a DWORD value called 'WriteProtect' and set it to 1. You'll be able to read USB drives, but not write to them any more.

Here's the rest of the article 20 registry hacks to make your PC more awesome

I didn't read the first post carefully.

Gaming, just lock down the computer something fierce so that they can only run programs that are authorized...

At the moment, I'm just looking for ideas and suggestions to see what's best to do.

That would be my suggestion then. Restrict the prisoners from running all programs except for a list of already vetted applications. This can be done using Group Policies, and is more painless than trying to prevent them from using unauthorized USB sticks.

This Tom's Hardware post refers to Windows 2000, but you should be able to pull it off in XP and Vista as well:
Prevent Running of Unauthorized Program via GPO